As the use of wireless local area networks (LANs) continues to grow, questions about the ability to protect transmissions from eavesdroppers refuse to go away. Last year, security researchers discovered that the basic technique used to encrypt transmissions, called Wired Equivalent Privacy (WEP), was fundamentally flawed. Today, software that allows an only modestly skilled hacker to capture traffic and perhaps intrude into a wireless network can easily be downloaded from the Internet.
Now a new problem has arisen -- and it's actually a result of the fixes that were supposed to better protect LANs from intruders. Details of the flaws are contained in a new paper ("An Initial Security Analysis of the IEEE 802.1X Protocol") by computer scientist William A. Arbaugh of the University of Maryland-College Park and his graduate student, Arunesh Mishra. It was funded by the National Institute of Standards & Technology (NIST). Arbaugh and Mishra found that two relatively easily implemented attacks can defeat the latest security technique, a bowl of alphabet soup created by the Institute of Electrical & Electronic Engineers and called 802.1X.
Actually two separate, but interrelated issues, pose a threat to wireless LAN security. One is the relative ease with which unauthorized users can gain access to a network. The second is the relative ease with which the encryption can be broken. The 802.1X standard, which is built into Microsoft Windows XP and will be added to Windows 2000 in a service pack, is designed to deal with the first issue.
CYBER HIJACKING. Before 802.1X came along, networks were either open to anyone (perhaps requiring a password) or were restricted to specific computers based on a hardware address, which imposed a major administrative burden. The new standard provides for a number of methods by which users trying to get on the network can prove they are who they say they are, generally by providing a cryptographic key in response to a challenge.
The problem found by Arbaugh and Mishra is that while 802.1X lets the network access point make sure the user is authentic, it fails to provide a reciprocal method by which the user can guarantee the authenticity of the access point. This opens to the door to what security experts call a "man-in-the-middle" attack: An intruder can pretend to be a legitimate access point and steal traffic. The researchers also describe a second form of attack, which they call "session hijacking," in which an intruder can pretend to be a legitimate user after gaining access to the network.
Arbaugh and Mishra say they have demonstrated their attacks in the lab. And they say it isn't surprising that the IEEE's response to the earlier security weaknesses has created a new problem. "You can't take two protocols and slap them together and necessarily get a secure protocol as a result," says Arbaugh.
TAKING IT PUBLIC. The Wireless Ethernet Compatibility Assn. (WECA), a trade group that promotes the use of wireless networks, downplays the importance of the Arbaugh-Mishra results. Says Intersil Corp. executive and WECA Chair Dennis Eaton: "The weaknesses are known and are in the process of being addressed within Task Group I," referring to an IEEE committee drafting new security standards that should be ratified before the end of 2002. Eaton says issues of this sort are better "worked on inside the committee rather than being debated in a public forum."
Arbaugh counters that it's better to get problems out in the open before the committee's work is finished. "The good news is that we have addressed the problems early and are working with Task Group I and NIST to fix them," he says. Arbaugh believes that beefing up the security of 802.1X can be done with some relatively simple changes. In the meantime, security experts suggest that anyone using a wireless LAN to send sensitive data use other means to encrypt content before sending it out over the air. By Stephen H. Wildstrom in Washington, D.C.